HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

**ariunbayar** · October 9th, 2010

Thank you. It helped me a lot.

**devout** · July 9th, 2011

Shouldn't we be using insserv instead of update-rc.d to enable the firewall init script?
Also; shouldn't we be using LSB headers in the firewall init script?

#! /bin/sh
### BEGIN INIT INFO
# Provides: custom firewall
# Required-Start: $remote_fs $syslog $network
# Required-Stop: $remote_fs $syslog $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: firewall initscript
# Description: Custom Firewall
### END INIT INFO

**frodon** · July 9th, 2011

Originally Posted by devout

Shouldn't we be using insserv instead of update-rc.d to enable the firewall init script?

What are the advantages ?

Originally Posted by devout

Also; shouldn't we be using LSB headers in the firewall init script?

#! /bin/sh
### BEGIN INIT INFO
# Provides: custom firewall
# Required-Start: $remote_fs $syslog $network
# Required-Stop: $remote_fs $syslog $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: firewall initscript
# Description: Custom Firewall
### END INIT INFO

Maybe, never hear about it before.

**devout** · July 10th, 2011

Originally Posted by frodon

What are the advantages ?
Maybe, never hear about it before.

Provides more flexibility in regards to dependency based booting.
Finer grained control of init.d script ordering.

Have a look at:
http://wiki.debian.org/LSBInitScript...dencyBasedBoot
http://wiki.debian.org/LSBInitScripts/
The FAQ at the bottom of the above link says the following:

"Since we want to be LSB compliant, init.d scripts can be adjusted now to be LSB compliant."

http://forums.debian.net/viewtopic.p...66308&start=15
"you should also refer people to insserv, and touch on LSB headers since they're now pretty much a requirement for any scripts in /etc/init.d"

I'm no authority on the matter, I'm just trying to setup my set of netfilter rules via iptables, and your example looked like the most complete example I've seen so far, so decided to use it as a starting point.
Then found some other posts of people saying we should now be using insserve instead of update-rc.d

http://wiki.kartbuilding.net/index.p...7s_update-rc.d

When I run the following:
sudo update-rc.d firewall defaults
I get the following:
update-rc.d: warning: /etc/init.d/firewall missing LSB information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
Adding system startup for /etc/init.d/firewall ...
/etc/rc0.d/K20firewall -> ../init.d/firewall
/etc/rc1.d/K20firewall -> ../init.d/firewall
/etc/rc6.d/K20firewall -> ../init.d/firewall
/etc/rc2.d/S20firewall -> ../init.d/firewall
/etc/rc3.d/S20firewall -> ../init.d/firewall
/etc/rc4.d/S20firewall -> ../init.d/firewall
/etc/rc5.d/S20firewall -> ../init.d/firewall

Noob question: Wondering why you use bash for /etc/firewall.bash
and /etc/init.d/firewall
but dash for /etc/flush_iptables.bash
Is this because bash provides better debugging?

Also looking at the following:
# No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi

Would this be neater as:

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
fi

As I think all covers all interfaces?
http://linuxgazette.net/issue77/lechnyr.html

Have also noticed that I can run the following now:
service firewall stop/start/etc

Thoughts?

**frodon** · July 11th, 2011

If LSB header removes the warning i will add it to the tutorial, at the time this i'm not sure this even existed

For the use of sh instead of bash no reason except that i was use to sh at the time and surely forgot to use bash for this script as it is more widely used, not really important for this script anyway.

Sorry if i can't provide all the answers to your question.